Active Directory in the Real World

This is going to be a bit intense. So smoke your cigarettes. Vape your vape thing. Finish off your Red Bull or Monster cans, and inject your 5-hour Energy shot. Shake your arms out a bit, and flip your head side to side while you bounce up and down on your feet. Take a deeeeeeeeeep breath and exhale fast. Then smack the nearest person and apologize. Feel better now? Good. Let’s move on.

Disclaimer: This is not a personal experience in one instance, but rather, a collective soup of goodness I’ve witnessed over the past twenty-five years in IT.

A typical small company, started in a garage, is now a multi-billion dollar corporate conglomerate. I have no idea what a conglomerate really is, but it sounds impressive. Anyhow, when they started out as “Tarfu Tech”, they had two dozen computers on a small LAN and a shoestring budget. They grew. Soon, they were at 250 computers, and then 500 and then 1,000 and in five years, they were now at 5,000 computers. The bulk were located at the HQ, with the rest being evenly spread across 5 locations across North America. A year later, they restructured as “Fubar Tech LLC”.

They had two (2) IT “engineers”, who built everything the hard way, using their hard-learned skills (Google) and culling together what they could from a thin budget.

The first engineer decides it’s time to implement Windows 2000 Server with Active Directory and move into the modern world of computing. He designs a domain and OU structure from scratch, and writes a ton of scripts to automate common tasks like adding, renaming, moving, updating, deleting and reporting from objects in the various domains.

After upgrading to Windows Server 2003 and 2008, 2008 R2 and now 2012 R2, he leaves the company for a better job selling condos to retirees. His IT partner also leaves, but not before buying a few books on Group Policy. He spends a few months implementing some 150 group policy objects and links them to various parts of the domain, with all sorts of experimental security filtering and WMI filtering included. Prior to leaving, he realizes about half of the GPOs are no longer needed, so he starts disabling settings in them. Things start to go sideways. He gets tired of hearing complaints from users and managers, and after losing a lengthy battle to get additional IT staff hired, he quits.

The company is now at 10,000 computers and 500 servers, spread across 3 domains in one forest, and 2 domains in another forest, with 15,000 user accounts, 46,000 security groups. There’s also 150 GPOs in one forest and 125 GPOs in the other. There’s a one-way trust, but it’s not configured correctly. There are roughly 45 DHCP servers throughout the WAN, with some overlapping scopes and unused reservations with some static addresses used on desktops as well as servers. The DHCP servers are a mix of Windows Server, Linux and Netgear wireless routers.

There’s no documentation. There’s no information on licensing or design or discussions regarding planning or desired goals. Nothing. But there is a 2015 Rigid Tools bikini calendar above the desk which is covered in USB thumb drives of various models and sizes.

Now, your boss walks in and informs you that your company, Fistronics, is buying Fubar Tech and merging them into a new domain environment under the new name of Fubar-Fisting LLC. You are assigned to merge their network, domains, computers, users and groups, into a new forest and domain.

You fly out, and arrive with coffee the next morning to meet the Fubar staff. They explain how there’s no documentation, no licensing and no one knows how things are configured or why. A clerk hands you a notepad with four pages of scribbled notes, which turn out to be passwords that have been used for sensitive accounts for the past twenty years. They don’t know what the domain admins or enterprise admins accounts or passwords are.

You open the network closet door and after five minutes of pulling cables to the left and right, you can almost see one of the routers in the rack. It’s caked with dust and the fan sounds like a dying cat. There’s no fan or air duct in the closet, just a hole in the door with chicken coup wire stapled across it.

On the table just outside the closet is a laptop sitting on a stack of books. It’s very old and has three hardware lock “dongles” attached from different sides, and at least four cables coming out of it. You reach towards the keyboard, but a voice pops over the nearby cube, “Don’t touch it! It’s our server!” You ask “Are you sure?” and they reply “That’s what they told us before they quit. Nobody’s ever touched it since.”

Your Project Manager calls to inform you that there’s still a 14-day deadline to meet. Then she asks, “How’s the Active Directory environment looking?”

One thought on “Active Directory in the Real World”

Step 1 : Burn it all to the ground and start fresh
Step 2: begin documenting how the new environment is configured
Step 3: be transitioned to another project with no warning
Step 4: hope the junior red shirt can take over and finish the documentation
Step 5: hope for the best